Remmoves insecure redirects

This should really fundamentally work differently, but this is a quick for for now to avoid an insecure redirect. There will be a negative impact on user experience from this, and a followup change should look into these views and improve their flow.
2022-07-14 11:13:11 -07:00 · 2022-07-14 11:13:11 -07:00 · 661865de87
commit 661865de87
parent e3dbe5a142
6 changed files with 19 additions and 21 deletions
--- a/bookwyrm/views/shelf/shelf_actions.py
+++ b/bookwyrm/views/shelf/shelf_actions.py
@ -13,7 +13,7 @@ def create_shelf(request):
    """user generated shelves"""
    form = forms.ShelfForm(request.POST)
    if not form.is_valid():
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("user-shelves", request.user.localname)

    shelf = form.save()
    return redirect(shelf.local_path)
@ -70,7 +70,7 @@ def shelve(request):
            ):
                current_read_status_shelfbook.delete()
            else:  # It is already on the shelf
-                return redirect(request.headers.get("Referer", "/"))
+                return redirect("/")

        # create the new shelf-book entry
        models.ShelfBook.objects.create(
@ -86,7 +86,7 @@ def shelve(request):
        # Might be good to alert, or reject the action?
        except IntegrityError:
            pass
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")


@login_required
@ -100,4 +100,4 @@ def unshelve(request, book_id=False):
    )
    shelf_book.raise_not_deletable(request.user)
    shelf_book.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")